Proposal of Open Source Software Security Risk Indicator Based on Vulnerability Management Interview

Abstract

Open source software (OSS) has gained significant prominence in recent years. The security of OSS is a vital concern within information systems relying on OSS. When vulnerabilities are identified in OSS projects, previous security research has suggested approaches such as vulnerability classification, risk estimation, and exploitability analysis. Evaluating whether these vulnerabilities and the associated risks in the OSS development process pose security threats remains a complex challenge. In this study, through an interview survey on existing vulnerability management, we have determined the need for ongoing and automated countermeasures against attacks by comprehending OSS security risks based on the survey findings. We then evaluated the effectiveness of these countermeasures and proposed a security risk indicator for OSS to address these issues. The proposed method measures OSS security risk indicators by integrating vulnerability information with the development status of OSS. The suggested security risk indicator for OSS serves as a benchmark for security measures in the operation of information systems. In our evaluation, we evaluated the effectiveness of the proposed OSS security risk indicator in identifying threats from multiple OSS and assessed the computational cost associated with calculating OSS security risk indicators.